David Sopas – Web Security Researcher

bug bounty

17/08/16 Bug Bounty , My Events # , , ,

BSides Lisbon 2016

Guys I’ll be a speaker at BSides Lisbon 2016 with the talk – “The way of the bounty”.
If you want to know some of my tips and secrets on bug bounty programs don’t forget to schedule in your calendar – 11th November.

0 likes no responses
27/11/15 Bug Bounty , Interesting Readings , Tips and Tricks # , , , ,

Should bug hunters provide real personal data on bug appreciation programs?

Should bug hunters provide real personal data on bug appreciation programs?

That’s a question that sometimes comes in mind of many “hunters”.

Personally in most cases, when I participate on these programs, I use fake information – one of the first reasons is to immediately test the input fields 🙂

Programs that required you to add your credit card info, phone number, bank info, … in most cases I try to slow down my research a bit. [As alternative sometimes I use one-time only credit cards but in other cases you need to provide other information to test further – eg: upload funds using your bank account. Also it’s a positive thing to have a phone number just to test bug appreciation programs. I already smsbomb myself using a vulnerability #shameonme]
I’m not paranoid but in my opinion it would me interesting if the program itself provides the security researcher with a payment sandbox. Some of them already do this.

Programs that want you to test their payment gateways, membership upgrades, etc… could create some private layer to help researchers. This is a win-win situation, where both parties have interest in giving their best.
Just to give you a background on this topic, a couple of weeks ago I had access to bank information using a SQL Injection vulnerability present on a bounty program. The data was in plaintext. Some of the info was from security researchers that were also testing their security.

I asked a couple of other researchers and some of them told me that they used fake payment data – that works if you are not buying or testing payments.

But I wanted more feedback… So I give it a try on the voting quiz available on Twitter and shared with my followers:

Do you use your personal information when bug hunting (name, phone, address, payment information, …)?

Yes – 26%
No – 39%
Not all the info – 35%

Total votes: 23 (duration: 24 hours)

Not many votes (timezone is a b****) but we can get a small idea on what bug hunters are doing.
74% of them don’t use their real information or just provide part of their personal data.

Bugcrowd told me that they provide test credentials wherever possible. They believe that providing that information to bug hunters participants is ideal, but that requires support on the backend side. Bugcrowd CEO – Casey Ellis – also told me that they advise programs [private or dojo] to create test accounts. If it’s a public program they advise them only if there’s a txn failsafe on the processing side because public may start using them for regular transactions.

Working with Cobalt I also had the opportunity to work with test accounts in their private programs.

On HackerOne I never come across test accounts, even with private programs. It would be cool if they comment this article about this.

Also I already come across of some bug appreciation programs that provided credit card details [bypassing the payment checks] to give the opportunity to researchers test live transactions.

I hope that with this article I help bug appreciation programs participants to protect themselves but at the same time providing the program a good service.

What you guys think about this?

0 likes no responses
12/10/15 Bug Bounty , Tips and Tricks # , ,

Free online tools to help your #bugbounty

Free online tools to help your #bugbounty

I’m getting a few emails asking some tips on how to get some bounties. Because I like to help others and I’m a share knowledge believer 🙂 I wrote this small article about using the right online tools and earn some bucks on bounty programs.

Most experience bug hunters already know most of this tools but this is mostly for starters.

SSL validation
URL: https://www.ssllabs.com/ssltest/

Qualys provides a free online tool that runs a complete test on a target SSL. Heartbleed, OpenSSL CCS vuln, BEAST, POODLE, etc all of these are covered in this online test.

Missing SPF? Let’s test it…
URL: http://www.kitterman.com/spf/validate.html

These tools are meant to help you check SPF records on your target. For many bug bounties participants this is one of the first things to try. Usually get’s the minimum payout if in-scope. On HackerOne, Shopify already paid $500 on this missing email security header – https://hackerone.com/reports/54779

Test X-FRAME-Options
URL: http://savanttools.com/test-frame

This tool is useful for detecting sites that use the X-FRAME-OPTIONS header to block framing, or use frame-breaking / frame-busting Javascript. Clickjacking attacks can be achieved with the help of this tool.

Find subdomains of a domain
URL: https://pentest-tools.com/information-gathering/find-subdomains-of-domain

pentest-tools.com offers 40 credits every day to a user for free and using this information gathering information on the subdomains will take you 20 credits so you can use it twice a day. This is very usefull to find other domain targets.

Online fuzzer
URL: https://pentest-tools.com/website-vulnerability-scanning/discover-hidden-directories-and-files

With only 10 credits [you have 40 credits every day] this online URL Fuzzer can be used to find hidden files and directories on a web server.
This is a discovery activity which allows you to discover resources that were not meant to be publicly accessible (ex. /backups, /index.php.old, /archive.tgz, /source_code.zip, etc).
With a file/direcotry fuzzer you can always find interesting stuff. I already found a couple of phpinfo.php files on major companies and got few bounties with them.

Using Drupal?
URL: https://hackertarget.com/drupal-security-scan/

With this online you get a overview of the Drupal version used, template name, if directory indexing is enabled, etc. Some of this information you could use to run further tests and determine if you can get someting vulnerable from the Drupal instalation.

Using WordPress?
URL: https://hackertarget.com/wordpress-security-scan/

I’m a big fan of wp-scan but if you need a free online tool HackerTarget will do a good job for you.
This tool will check the version of WordPress, check directory indexing, list plugins [and if new updates are available], user enumeration, etc. With this information you can check for vulnerable plugins and provide a good report about that.

Using Joomla?
URL: https://hackertarget.com/joomla-security-scan/

Like the previous tools this one also checks for Joomla instalattions information. Take a look into the plugins/components. Usually there are something to look for. Compare versions and Google for changelogs about vulnerabilities. Very often in the changelog the vulnerability is not public but if it says CSRF on options-windows.php. Just try to download that version and audit it yourself. I’ll do that 🙂

Target store using Magento?
URL: https://www.magereport.com/

Scan your targets Magento shop for known security vulnerabilities. This is a very useful tool that can get a few vulnerabilities in your bounty quest.

I would like to add that there are better tools that could be installed on your operating system but that could be on another article 🙂

Tip 1: Always read carefully the bounty program details to check what’s in-scope. Always respect the rules.
Tip 2: Don’t forget also to read my article. Don’t copy paste your online results on the report and voila!

0 likes one response